Posts

ARP Attack Detection Limitations

We were asked to describe or propose a way to detect ARP spoofing attack and consider possible weaknesses in the proposed method. This was my response:

The address resolution protocol (ARP) is a stateless protocol used to help endpoints resolve the media access control (MAC) address to the IP address so that packets can be delivered to the correct device on the local area network (LAN). ARP spoofing attacks can happen when source or destination ARP responses are forged, duplicated, poisoned, or otherwise conflicts with another host. The spoofing then enables a malicious endpoint to receive all traffic destined for the spoofed IP address. These types of attacks are possible because ARP caches on host machines are updated with no validation of matching MAC and IP addresses. ARP replies are also cached whether or not the host sends ARP requests. This can lead to denial of service, session hijacking, or man in the middle attacks.

The student proposes host-based based intrusion detection system (IDS) to identify denial of service, malformed packets, duplicate response or request spoofing ARP attacks. The IDS would work by:

Sending verification messages when ARP requests or replies are received to build a validated resolved IP and MAC table

Building IDS algorithms that search the above mentioned validated table and generates error messages for malformed, unicast or gratuitous packets

Creating a spoof detector algorithm that generates alerts when duplicate responses are received for probes

Generating alerts when unsolicited replies are discovered

Possible weaknesses in this approach include false positives, false negatives, and ongoing maintenance. Since ARP spoofing can present itself in many forms, detection could cause excessive false alarms, which could lead to incident response teams ignoring or suppressing alarms without proper investigation. Likewise, false negatives could be real ARP spoofing attacks that get ignored because responders have historically been inundated with time consuming alarms that were not actual attacks. Finally, ongoing maintenance could present an issue if human resource constraints exist. Like all other solutions, this approach would require care and feeding.